DocumentCode
3433899
Title
A security analysis of the OAuth protocol
Author
Feng Yang ; Manoharan, Sathiamoorthy
Author_Institution
Dept. of Comput. Sci., Univ. of Auckland, Auckland, New Zealand
fYear
2013
fDate
27-29 Aug. 2013
Firstpage
271
Lastpage
276
Abstract
The OAuth 2.0 authorization protocol standardises delegated authorization on the Web. Popular social networks such as Facebook, Google and Twitter implement their APIs based on the OAuth protocol to enhance user experience of social sign-on and social sharing. The intermediary authorization code can be potentially leaked during the transmission, which then may lead to its abuse. This paper uses an attacker model to study the security vulnerabilities of the OAuth 2.0 protocol. The experimental results show that common attacks such as replay attacks, impersonation attacks and forced-login CSRF attacks are capable of compromising the resources protected by the OAuth 2.0 protocol. The paper presents a systematic analysis of the potential root causes of the disclosed vulnerabilities.
Keywords
authorisation; cryptographic protocols; social networking (online); API; Facebook; Google; OAuth 2.0 authorization protocol; Twitter; Web; delegated authorization; disclosed vulnerabilities; forced-login CSRF attacks; impersonation attacks; replay attacks; security analysis; social networks; systematic analysis; Authentication; Authorization; Facebook; Google; Protocols; Servers; OAuth; Single sign-on; security vulnerabilities;
fLanguage
English
Publisher
ieee
Conference_Titel
Communications, Computers and Signal Processing (PACRIM), 2013 IEEE Pacific Rim Conference on
Conference_Location
Victoria, BC
ISSN
1555-5798
Type
conf
DOI
10.1109/PACRIM.2013.6625487
Filename
6625487
Link To Document